Ah, yes; one more unaware victim of a click-by frictionless sharing privacy incident!

What is “Frictionless Sharing”?

The first time I saw the term “friction-less sharing” was in 2011 reading about the F8 Developers Conference when Mark Zuckerberg was explaining how their sharing of copious amounts of activity data to the rest of the world, on Facebook walls, and with unlimited numbers of their third parties, was a good thing; as he put it, it allowed “”real-time serendipity in a friction-less experience” with regard to sharing activities.  Talk about spinning that message!   He did not come up with this term though; it was used in a Gartner Magic Quadrant report in November 2010; probably before that time as well.  While it is not a term coined by Zuckerberg, I guess he gets the credit for making it popular.

In a nutshell, “frictionless sharing” basically is a passive service that allows apps, such as that used by Netflix, the Washington Post, Spotify, Foursquare and social media sites, such as Facebook, to automatically share your activity to a very wide, and possibly unlimited, number of entities and locations as you visit different websites, go to different locations, view different videos and photos, listen to different music, read different ads and articles, and so on.  Sure, users must first give the service permission to share automatically on your behalf, but once you give your permission, you have basically given unfettered access to allow unknown others to create your personal online diaries that you are building throughout these services, and they are filling in the digital pages for you, without you ever needing to give any more consent, or explicitly click any more sharing types of buttons.

I’ve Got Nothing to Hide!

There are a lot of folks out there, most of whom have not really paused to think critically about privacy issues and all the actions that can negatively impact lives when privacy protections are not in place, who nonchalantly proclaim, “Privacy!? Pfft!!! I’ve don’t nothing wrong, so I have nothing to hide!  Only criminals worry about privacy!”  But yet, if you ask to read their emails, look at their website visit logs, or look at their credit card statements, they huff, “Well, no!  I’m not going to show you that! That’s personal!”  I don’t know any person who truly has nothing to hide.

I’m seeing more exasperated posts from people who may have thought they had nothing to hide, but then were embarrassed to have their innocent peeks, or stumblings, into videos, websites or locations posted for the world to see, and marketers to use, that they had not expected.  What most folks don’t realize is that in the fine print of many (or most) of those services asking for consent to automatically post to your sites/walls/etc. whenever you do specific actions, the service also indicates that they may share your data with other third party services, and that they can also then post even more of your activities in even more of the locations that they want to populate or publicize to the world that others (including you) are using.

Like Digital Privacy Cancer, Or Simply TMI?

The ubiquitous manner in which a person’s online actions, as well as many physical activities, are shared through frictionless sharing are in many ways like a type of digital online privacy cancer; there are bits and crumbs of information about personal activities quickly creeping through the ether-world unbeknownst to those about whom they apply, until the information is used, and possibly abused, to the point that the associated individuals no longer have any control over how their personal information is used, shared, sold, or otherwise monetized in some way for the benefit of all those receiving it. Much like an aggressive form of cancer, the personal information has morphed and skewed the perceptions of the individuals involved so extensively that no amount of digital chemotherapy can remove, or possibly more impacting cannot correct, the personal information from the online world.  Sound too dramatic and sensational? Perhaps. Perhaps not. Time will tell.

Another way to look at frictionless sharing is that it results in a continuous, often over-abundance of ongoing messages about those who are using (or subjected to) it.  There are so many constant dribbles and drabs of messages being posted about every minute detail of their activities that it results in too much information (TMI) that really is of no consequence to all those getting the messages.  In fact, it can be quite annoying. Some of my Facebook friends have unfriended others who were sharing way too much information.  One friend told me, “Ew, I really find it gross to see Shawn watching all those icky videos and listening to that women-hating music. I don’t want to see it any more!”  Yeah, and I hope they don’t start rolling out toilet apps any time soon; based upon what some of my Twitter, and even LinkedIn, contacts post I know some folks that would be the first to use them.  T! M! I!

By the way, there are a growing number of frictionless sharing apps for video viewing, such as Socialcam, Metacafe, DailyMotion and Viddy.  And likely many more I don’t know about.  You can bet more are on the way.

Do Your Frictionless Due Diligence

So, can frictionless sharing improve business?  Apparently it is helping the Washington Post, Facebook, Netflix, Spotify, Foursquare, all the video viewing apps, and a large variety of other apps and social media businesses, or they wouldn’t invest so much into doing it.  I can certainly understand the appeal from a marketing and sales point of view: A vast army of unpaid advertising testimonials can now be automatically generated and posted in ways and quantities that just a few years ago could only be dreamt about.  However, the number of related privacy concerns and issues continue to mount.

Organizations of all sizes are eager to get to that data.  However, any organization, or any size, must make sure they aren’t doing activities that will alienate customers or result in privacy violations.  Startups need to make sure they will not do something that could put them out of business before they’ve even left the gate.

Before employing the use of frictionless sharing within your organization, be sure to address the following:

1. Check your privacy policy.  Will your frictionless sharing activities violate your security and/or privacy policies? If your organization insists on using frictionless sharing, is it feasible to update the policies?
2. Who are the third parties you will share the frictionless sharing data with? Have you vetted their information security and privacy program and associated practices? Could their actions put your organization in business and/or legal jeopardy?
3. How long will you keep all the data collected? Cumulatively the information collected through frictionless sharing provides a type of automated diary of people’s lives. The longer the data is retained, the more organizations, and those they share their data with, will know about all the individuals.  By limiting the length of time the data is retained you can at least limit the length of periods into which you can peer into the lives of others.
4. Who will be accessing or using the data? I am always concerned about who gets information about personal activities, and how that information will then subsequently be used.  Some things I’ve contemplated is how this treasure-trove of frictionless sharing data about the daily goings-on of people’s lives may be used…
   1. in e-discovery for legal cases,
   2. by investigators, such as those looking for evidence in divorce, crime or other cases,
   3. by government agencies, such as for terrorist profiling and to validate audits or valuations,
   4. by retailers to target market even more than they are doing today, and
   5. by insurance companies to make changes in policy coverages and premium costs.
5. How will your organization answer requests to remove the data of specific individuals? I know individuals who have been so taken aback to see their information posted for the world to see that they are demanding that their data be removed. Is this even possible, considering how the data is stored and propagated throughout a wide range of storage areas and other entities?

Bottom line for all organizations, from the largest to the smallest: Frictionless sharing can bring marketing benefits, but they may be short-lived if you tick-off your customers and the population at large.

Other Information about Frictionless Sharing

To learn more about frictionless sharing, the good, the bad and the ugly, here are just a few more articles to check out:

• Why Facebook’s Frictionless Sharing Is the Future: http://www.businessweek.com/technology/why-facebooks-frictionless-sharing-is-the-future-10032011.html. Analysis and criticisms of the benefits and downfalls.

• As the ‘Friction-Less’ Web Grows, Friction Against It Does Too: http://www.pbs.org/mediashift/2012/04/as-the-friction-less-web-grows-friction-against-it-does-too116.html. Provides a nice listing of organizations using frictionless sharing, in addition to some good examples of the problems involved.

• Check-In Service Usage Has More Than Doubled In Past 9 Months, Study Says: http://marketingland.com/check-in-service-usage-has-more-than-doubled-in-past-9-months-study-says-11792?utm_source=fbwallhd&utm_medium=facebook&utm_campaign=wall. A new Pew Research Center study shows the number of Americans using frictionless sharing check-in services has more than doubled in the past nine months .

• A September, 2011 letter from Electronic Privacy Information Center (“EPIC”), The American Civil Liberties Union, The American Library Association, Bill of Rights Defense Committee, The Center for Digital Democracy, The Center for Media and Democracy, Consumer Action, Consumer Watchdog, PrivacyActivism, and Privacy Times asking the Federal Trade Commission (FTC) to investigate Facebook for their use of frictionless sharing and any inconsistencies they create with their policies.  They outline a long list of privacy concerns within this letter. http://www.consumerwatchdog.org/resources/ltrepicftc092811.pdf

• Facebook Frictionless Sharing Whips Privacy Advocates into Frenzy: http://www.eweek.com/c/a/Security/Facebook-Frictionless-Sharing-Whips-Privacy-Advocates-into-Frenzy-404718/. Interesting perspectives from just 7 months ago.  Read the reaction that Pete Cashmore, “a pioneering social media blogger,” had, resulting in him uninstalling such frictionless sharing apps. Have the related concerns been addressed? I’ll leave that to your judgment.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Me, “That’s pretty incredible, isn’t it?  Companies are able to discover things like that about people more than ever before through analyzing what is called ‘Big Data’.”

Son, “That’s really creepy. I think you should look into that for your privacy business!”

Glad he’s paying attention to privacy issues. 

So, what is “Big Data”?

If you haven’t heard the term “Big Data” yet, you’re obviously seeing it now, but expect to see it a lot more in the coming months and years.  Basically Big Data is a term used to refer to the huge amount of data that is being created, and collectively examined, through the many online sites, as well as offline sites and vast repositories.  The amount of data created now is staggering when compared to just a few years ago.  Here are a couple of fun Big Data facts:

• 90% of all the data in the world was created in just the past two years; isn’t that amazing!
• There is an average of 2.7 Billion “likes” and “comments” posted just on Facebook each day.  Based upon targeted ads, most of this data is then used by marketers; all these “likes” and “comments” are added into the Big Data pot and associated with the people who made them.

Every piece of digital data you leave online, right down to each of your “likes,” Twitter re-tweets, hash tag terms, videos viewed, and so on, all become part of Big Data.  It all gets included and considered within all the analysis algorithms being used for research, marketing, investigations, and an unlimited number of other activities.

Who’s using Big Data?

It may be easier to list who isn’t using Big Data than those who are.  Here are just a few of the ways in which Big Marketers and others are salivating over the limitless uses they can get from Big Data and the associated analysis.

• Tax preparation organizations, such as Turbotax, like to tout the benefits to make “online tax prep more adaptive and predictive” for their customers.
• Payroll and payment processing businesses, such as Intuit, like to “keep its customers loyal and happy.”
• Museums, zoos and other public attraction businesses, such as the Cincinnati Zoo, are using Big Data analytics to determine what visitors to purchase, the areas where they spend the most time, their favorite attractions, and when potentially high spending visitors are in the area.
• Law enforcement and investigators are using Big Data analytics to track crime incidents, catch crooks and increase public safety.
• New search engines are being created to use semantic technology to improve search results to bring business benefits.

And the list could go on and on.

I certainly agree that being able to better analyze data can bring with it significant benefits to the public in general, for making medical research breakthroughs, and other truly valuable contributions.  However, based upon what I’m reading, I’m seeing more emphasis being placed upon the benefits that Big Data analysis can have on marketing, driving more sales, and making companies more profitable, after selling the idea of Big Data to the public for the formerly mentioned more noble purposes.

I did a very quick and unscientific check online of news articles written about Big Data in the past two days and got 12,900 results. If I had done this search of news articles a year ago, I would have gotten four results, two of which were for lower case “big data” (meaning it wasn’t used as a specific term as it is now).

And yes, I understand the irony that my searches are now part of the Big Data repositories.

What’s that got to do with privacy?

“With great power comes great responsibility.” – Uncle Ben to Peter Parker in Spiderman (I love this quote; it applies to so many situations where privacy can be exploited.)

Complex data analysis capabilities not only make it easier for businesses to customize their services for their customers, but all that data, and customization, can reveal a lot of personal information about the customers, and also about their personal lives and activities, along with those of their friends and families.  Such powerful algorithms have the capability to take otherwise “de-identified” data that, on its own cannot be attributed to specific individuals, and quickly correlate many pieces of the data puzzle and determine, sometimes with amazing clarity, the actions, likes, history, and as we’ve seen even medical conditions, of specific individuals.  The more data that exists, the more likely such correlations can occur.

Businesses need to carefully consider the potential privacy issues involved with using analytics and Big Data.

“There are no laws against using Big Data, so there are no privacy issues!”

I am hearing this argument from many company and consulting lawyers more often; if there isn’t a law against using data then it must be okay and not cause privacy issues. Right?  No, not right.  Technology and the associated uses always evolve and are actively being used (and sometimes abused) long before any laws or regulations can be hammered out and agreed to, especially by an increasingly divisive group of lawmakers.  And laws and regulations are overwhelmingly reactionary.  Typically they are not created until a significant number of bad events have happened.  Until that time businesses, of all sizes, need to become good data and privacy stewards and make thoughtful decisions about how they are using data, keeping in mind that their actions may not only reveal information that is valuable for business, but that may at the same time reveal explicit information about individuals in unintended ways.

Here are some questions large, medium and small businesses need to ask before they dive into using Big Data and deciding upon a Big Data analytics agreement and/or tool:

1. Is the analytics company bringing in additional data from elsewhere to combine with your company’s data? Growing numbers of organizations are using de-identified data internally, but with the requirement that it cannot be shared with others.
2. Will the analytics company take all your data, including that they label as “de-identified,” and use it outside of your organization, for analytics activities with other companies? If so, you may be violating your own posted privacy policy. Have you read it lately? Does your company actually do what it promises to your website visitors and customers?
3. What does the company really mean when they say they have “de-identified” the data? This is a very fuzzy, subjective term.  Is such de-identification really removing the ability to point to specific individuals? This may be the case with just your company’s de-identified data, but if it is combined with other data sets it could actually become “re-identified” data capable of pointing to specific individuals.
4. If you are using “publicly available” data, how does the data analytics vendor collect all the data they are using? Are they glomming on to every type of data possible, even data from online sites that may have been left unsecured, but really should have been secured? For example, one marketing vendor told me if they find unsecured personal data on financial or retail sites, they grab it; they justify this by telling me that if it was off limits it would have been secured.  Just because data is not appropriately secured does not mean it is available for anyone to take. You need to determine the type of online ethics the company has (or lacks).
5. Are you planning to contact customers as a result of your Big Data analysis that could be considered as creep, in the least, or mind-blowingly privacy invasive at worst? (Refer back to the Target baby coupon example.)
6. Are you making business decisions using assumptions, based upon the results of Big Data analysis, which are incorrect? For example, do you deny insurance coverage to someone because of such results? Or, make hiring decisions? Send communications regarding physical or medical assumptions?  Target individuals as potential terrorists or criminals? Etc.
7. Have you discussed your plans with your Information Security, Privacy and Compliance officers? This is very important; you should never make business decisions involving data that reveals information about individuals, their activities, likes and dislikes, medical conditions and so on, without talking to these folks.  Even if the data is labeled “de-identified” make sure that term fits your organization’s definition.
8. Do you have company policies covering the use of Big Data? If not, now is the time to create some, in collaboration with your Information Security, Privacy and Compliance areas.

Big Data is going to continue being used more widely, for more reasons. All organizations need to keep in mind the privacy impacts of such use before they cross over the line of doing what’s reasonable to violating individuals’ privacy.

Bottom line for all organizations, from the largest to the smallest: Big Data and associated analytics can be used to improve business and customer experiences, and bring innovation and medical breakthroughs.  However, organizations must make sure they don’t cross over that line of customization and business improvement into creepiness, and then full-blown privacy invasion.

Other information about Big Data

To learn more about how Big Data can be used, for good purposes as well as in ways that push the privacy boundaries, consider checking out the following articles.

• · “How Companies Learn Your Secrets” A good article about that situation where Target told a dad his daughter was pregnant based upon her purchasing habits; the situation my son heard about and found so creepy.
• · “What is Big Data?” This provides not only a nice description of Big Data, but has some really interesting statistics.
• · “Pastries and Predictions: Finding Hidden Trends” Using Big Data to determine buying trends.
• · “Will Big Data and Big Money Mean Big Trouble?” Interesting podcast (~51 minutes) interview with a Big Data vendor and Mark Rotenberg, Executive Director at EPIC. NOTE: Some other topics are discussed before getting to this main topic.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

As background, for those of you who may not have heard of this hack yet, in a nutshell:

1. The data breach occurred on March 30
2. A configuration error occurred at the password authentication level
3. This allowed hacker(s), located in Eastern Europe, to obtain files containing sensitive information by circumventing the Utah Department of Technology Services’ (DTS’s) security system.
4. The files were stored on a server that contained Medicaid information at DTS.

Why Does A Breach Like This Happen?
What is important to note about this breach is that it reportedly resulted from not following procedures, which allowed the subsequent incorrect configuration to leave the door open for hackers to exploit, coupled with not adequately monitoring network activity. I believe such mistakes, oversights, and outright “…well, no one’s going to catch this…” types of situations are likely widespread.

I know from my years as a systems analyst, and maintaining a large change control system, that it is not only very easy for mistakes to occur within the network security architecture of a complex set of systems, but that there will always be some humans involved who are tempted to bypass important security controls because they slow them down, are cumbersome to follow, take too long to perform, or they simply believe that no one will ever be able to find such a vulnerability. It frustrated me all those years ago to spend a lot of time maintaining an effective, well documented, secure system only to walk through the various programming areas and see certain individuals working together to bypass the controls within the system. For example, upon at least a half dozen occasions I found the Directors of various programming areas, who were supposed to serve as the final approval of moving code into production after performing certain reviews to ensure the code had been appropriately tested and vetted (that took only a few minutes), leaving their computers logged on at the approval screen to allow the programmers to simply go into their offices and submit the approval themselves. Did any bad code ever get into production through these managers’ areas? Oh, indeed. I know from speaking with many programmers and other IT staff since those early experiences that such activities still occur throughout all organizations.

During the hundreds of information security and privacy audits I’ve performed over the years I’ve heard a large percentage of the IT folks I’ve interviewed give me statements to the general effect of, “Really, what is the likelihood of anyone being able to find one hole in the system? It’s very unlikely. These are large complex systems! Skipping some settings are usually not that big of a deal with all the other controls that are in place.”  The long-held belief of security by (perceived) obscurity still prevails, but is still as flawed in thinking as it ever was. Tools exist to find such vulnerabilities in the blink of an eye, and then exploit them just as quickly.

Only an investigation and associated audit will determine exactly why controls were inadequate and procedures not followed in the Utah DTS breach; purposeful disregard of the procedures may not be a factor. Perhaps there simply weren’t adequate security controls in place to begin with. Time will tell.

Hackers Hack Where The Digital Jewels Are Stored
This incident should also make clear to business leaders, in all types of organizations, that there are hackers out there that are keeping an eye on organizations that have systems they view as prime targets yielding huge goldmines of valuable data if they can find one hole to slip through. Hospitals, insurance companies, their business associates (of all sizes), government agencies, banks, and so many other types of organizations of all sizes, possess huge amounts of data that can be used by unlimited numbers of cybercriminals, in unlimited ways, and sold to other crooks for large amounts of money. In addition many cybercriminals love to get access to systems capabilities (e.g., bandwidth for playing a game; they sell the access to this bandwidth to whomever wants a superfast connection). Such data in malicious hands not only can lead to systems down time, identity theft, medical identity theft, and financial fraud, just to name a few, misuse can truly impact the lives and health of the patients involved.

Back to the Future Security Basics
This incident points out the need for organizations, of all sizes and in all industries, to do the following to help prevent the same type of breach as that within the Utah DTS:

• Have well documented systems and applications procedures and supporting standards in place that are consistently followed
• Provide training and ongoing awareness for the procedures and standards
• Log changes consistently, and have teams responsible for reviewing the logs, and maintaining the logs for an appropriate period of time
• Perform ongoing audits to catch such configuration errors
• Have a change control process in place to help keep the mistakes of individuals from being put into production
• Use intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to identify inappropriate access as soon as possible
• Create and maintain well documented breach detection and response plans
• Establish breach response teams and provide them with periodic training and ongoing awareness communications
• Engage independent third parties to perform periodic vulnerability scans and penetration tests
• Encrypt sensitive data, in transit and as rest in all storage locations. As this incident demonstrates, even if a sensitive file is located on a network behind a firewall, the bad guys may possibly still be able to get to it.

All these activities are part of an effective risk management program, which is required by and supports HIPAA, GLBA, and other regulatory compliance. And, considering all the sophisticated automated tools cybercriminals have at their disposal, is a necessary part of business today to protect against such real and numerous threats.

BTW, as I was getting ready to post this I learned that IBM for Midsize Businesses will hold a related webinar on May 15 entitled “Mid-Market in the Crosshairs: Why Cybercriminals Are Targeting Midsize Organizations and How to Foil Them.” Looks like it will cover many of these concepts.

Other discussions of the Utah breach
To learn more about the Utah DTS breach, here are some other good resources that covered this incident.
• Utah Medicaid Data Breach Information

• Gary R. Herbert, UT Governor: Independent Audits Needed in Wake of DTS Medicaid Data Breach

• Utah Department of Health: a bold repeat marcher in the parade of major PHI security breaches

• Utah’s Medicaid Data Breach Worse Than Expected

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Unfortunately, because of the results of some studies, many organizations now think that de-identification is not a good option.  Over a dozen organizations I spoke with at the IAPP conference in DC early this month told me, after hearing in a couple of the sessions about the de-identification studies, that they were thinking about advising their business management when they got back to work not to use de-identification because they thought the speakers were advising that it would not be a good privacy preserving action.  But wait, it is! While the related research studies are valid, the results have often been viewed out of context.  I want to explain, at a high level, why more organizations need to use de-identified data.

What is de-identified data?

Basically, de-identified data is what you have left after removing directly identifying data items from a file of personal data and the remaining set of data can no longer be associated with a specific individual, or individuals.  Here’s an over-simplification: imagine a photo of a concert audience, in front of the stage where the band is playing.  If you replaced the head of each apparent female in the audience with a red balloon, each apparent male in the audience with a green balloon, replaced each person’s body with a cucumber, and their arms and legs with pipe cleaners, you would have effectively de-identified the photo.  You’ve removed the information that was necessary to identify each individual.  However, you’ve left enough information to be able to do research and such things as determine how many total people were in the audience, how many likely females, how many likely males, and so on.  Now this is very, very simplified, and data de-identification typically involves completely removing data items without replacing them with other things.  But, hopefully it gives you a good visualization for what de-identification means.

It is important to additionally note also that, contrary to what I’ve seen written in various recently published legal articles, encrypting data does NOT make it de-identified data!  No data has been removed when it is encrypted.  Encryption simply jumbles data, using one of many possible encryption algorithms, so that no one can interpret the data.

When would you use de-identified data?

De-identification is on the verge of being used much more widely as we continue further down the path of “Big Data.”  Certainly it makes sense; as we have significantly larger amounts of data, significantly more computing power, and significantly more sophisticated data mining techniques, it will become easier to take huge amounts of data that would be impossible to sort through manually, or even with our personal computers individually, and within the blink of an eye analyze literally hundreds or even thousands of terabytes (each terabyte is one trillion bytes!) of data to put together a little bit of information from here, and a little bit of information from there, each on their own with no significance to an individual, but when combined possibly revealing a person’s life story. Because of these increased capabilities to take many different data sets and correlate personal data items to reveal information about specific individuals’ lives and activities, it becomes more important than ever to use de-identification within these data sets to significantly reduce the related privacy risks.  De-identified data can then be used for such beneficial activities such as:

1. To allow for groundbreaking healthcare research with patient data that will not infringe upon patient privacy.
2. To allow for innovative energy research with energy usage data that will not reveal the corresponding energy usage consumers.
3. To allow for improved marketing based upon consumer activity data without revealing information about the individual consumers from whom the data was collected.
4. To allow libraries to preserve their readers’ privacy regarding their reading and viewing activities while maintaining statistics and trends about which items are accessed and read.

And this list could go on and on.

Reality does not match recent negative comments regarding de-identified data

Some impressive academic research studies have shown that under the right circumstances, and with no other, or insufficient, security controls in place, de-identified data may potentially be re-identified.  For example, the one by LaTanya Sweeney in 2000 and another by Paul Ohm in 2010.  These research papers, and others, continue to point out the ways in which de-identified data can be re-identified.  The research findings are very important for those using de-identification to know to better understand related risks. These types of findings understandably alarm business leaders, along with information security and privacy managers, when described in terms of absolutes because they usually do not want to use within their organizations a method that has been, in their interpretation, labeled as not being effective for privacy protection.

Again, business leaders must look at and understand the context within which these, and many other, studies were executed.  The ones I’ve seen did not if additional safeguards such as policies, training, monitoring and logging, just to name a few, were also, or should have been, in place.  And like any other scientific research study, it is important to understand that you take the findings, which typically report the worst case scenario, and then determine the mitigating controls that are necessary to bring the privacy risks down to an acceptable level to also then allow for real advances in such areas as research, marketing, modeling and other areas.

Consider the de-identification requirements under HIPAA.  The HIPAA Privacy Rule allows for two types of de-identification standards:

(a)          The Safe Harbor Standard which requires the removal of 18 specific data elements that could uniquely identify an individual in addition to having the other required security policies and procedures in place for using the resulting de-identified data.

(b)          The Statistical Standard which requires that a person with appropriate knowledge of and experience with generally-accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information and how that determination was made.

To date these HIPAA requirements for de-identifying protected health information (PHI) for the purposes of research have worked comparatively well within the healthcare sector, considering there have been only with comparatively few privacy complaints and no reported incidents of re-identification breaches.  There have been five breaches reported for research facilities.  Three of them involved the theft or loss of mobile computer equipment, one involved print information, and one involved unauthorized access to a server.  None reported have involved re-identifying de-identified data that I could find.  And, according to research published in the Journal of Clinical Research Best Practices (“HIPAA Complaints in Clinical Research,”Vol. 4, No. 2, February 2008): “Counting just industry-sponsored clinical trials, at least two million study subjects sign HIPAA authorization forms each year. Since HIPAA enforcement began in 2003, at least ten million people have signed the forms. The OCR complaint rate is thus about 1 per 600,000 subjects [0.017%]. The rate is probably ten times lower (1 per 60,000) if we include people who participated in studies not sponsored by industry or who were contacted but did not enroll in a study.” I couldn’t find a more recent similar study, but would love to see any if they are available.

Safeguards are still necessary for de-identified data, just not as stringent

Now, here’s a very important point; keep it in your head: Even if you’ve de-identified data, you still need to have some safeguards in place around it!

Information security isn’t only necessary just to protect personal data.  Information security is necessary to protect all types of data that are valuable to you and your business.  Your de-identified data is valuable to you; otherwise you would not have taken the time and effort to de-identify it.  It is valuable to have for the purposes for which you de-identified it.

I’ve heard some business leaders express the opinion that if data is de-identified, then it no longer needs to have security controls implemented to protect it.  This is not true!  Security controls are still necessary, however, not nearly as many controls and restrictions are necessary as if the data was not de-identified.

So what types of security controls do you need for de-identified data? That depends upon the data set you are de-identifying, the purposes for which the de-identified data will be used, where it will be stored, and how many will have access to the de-identified data.  Some of the basic information security controls typically necessary include:

• Establish and document policies and supporting procedures detailing the situations when de-identification needs to occur (e.g., for lab research, marketing research, consumer stats reports, etc.) and the associated controls that need to be in place.
• Establish a position or individual with documented responsibility for appropriately using and securing de-identified data.
• Provide training for those who will be de-identifying data, and those who will be using and otherwise accessing the de-identified data.
• Only allow those with a business need to access de-identified data.
• De-identified data should not be allowed to leave your organization except for clearly documented situations and the associated conditions.
• Delete de-identified when it is no longer needed for the purposes for which it was originally created.
• Obtain direct consent from the related individuals in situations where all personally-identifying data cannot be removed as a consequence of the goals of the research.
• Perform risk analysis to determine the reasonable likelihood of re-identification.  The higher the risk, the more security controls that will need to be implemented and the more restricted access.  The lower the risk, the fewer the security controls, and the larger the audience that can be provided access.
• Enter into contracts, and establish internal procedures to support compliance with those contracts, to not re-identify data if the possibility is likely.
• Require any third parties with whom you share de-identified data to comply with the policies you’ve established within your organization for using and safeguarding de-identified data.
• Perform periodic audits to confirm the de-identified data is still protected at the same levels as it was originally agreed.

Six good reasons to de-identify data

I work with a large number of small and medium sized businesses (SMBs) whose clients are other businesses.  Many of these SMBs perform applications and systems development work and have been using real production customer data for their research, testing and analysis.  The same goes for marketing SMBs doing work for a large number of client companies, plus a wide array of other types of businesses.  So, given the information you now have about de-identified information, it should be clear that it is good for organizations of all sizes, from the largest to the smallest, to consider using de-identification as a privacy protection for several reasons, including the following six.

1. By using de-identified data wherever possible not only will organizations mitigate the risk of privacy breaches for their clients, they will also dramatically reduce their own liability by demonstrating due diligence in the event a privacy breach occurs within their business that involves their clients’ data.
2. Using de-identified data lessons the risk of legal non-compliance.  By using only de-identified data where feasible organizations doing work for other businesses can significantly reduce the risk of not only privacy breaches but also legal compliance infractions.
3. De-identification is an effective way to protect privacy in the event the de-identified information is seen or obtained by someone not authorized to see or have the personal data it from which it was created.
4. De-identification allows for important health research to occur while protecting privacy to a much greater extent than if actual patient information, with all identifiers, were used.
5. De-identification allows for marketing research to occur while honoring the posted privacy policies that indicated personal information will not be used for marketing purposes.  Of course, this depends upon how the rest of the privacy policy is written.
6. De-identification is a unique tool that allows for data to be used in business in many more ways that no other security tools, such as encryption or access controls, can provide, while also lessening privacy risks.

If the risk thresholds for de-identified data are not mitigated by using accompanying safeguards as described above, the risk of re-identification increases.  However, some of the a blanket statements I’ve seen published, typically only considering the technical aspects, that simply say that de-identification on its own is not 100% non-reversible and therefore should not be used, would be similar to saying that simply using seat belts alone does not keep 100% of vehicle passengers from being hurt or killed, so therefore seat belts shouldn’t be used.  Doesn’t this seem like silly logic?  Well, it does now, but early on when seatbelts they were introduced most people didn’t want to use them.  History has shown the effectiveness of seatbelts.  Of course you want to use seatbelts, along with airbags, keeping doors shut, having good-working brakes, and so on, to help reduce the harms that could occur in car accidents.  Likewise, de-identification should be used along with other safeguards to reduce the privacy risks. Simply because de-identification may not be a 100% privacy panacea does not mean that it should not be used. I’m confident history will also show that de-identification is an effective privacy tool, used in conjunction with other privacy tools and information security controls.

Other good de-identification resources

To learn more, here are some other good resources that cover various other de-identification topics and additional viewpoints.

• Tech Highlights of the FTC Privacy Report
• FTC Deserves Praise for its De-Identification “Safe Harbor” by Peter Swire
• Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy by Ann Cavoukian, Ph.D. and Khaled El Emam, Ph.D.
• De-Identification of Clinical Data by Sepideh Khosravifar and Tyrone Grandison
• A Privacy Reinforcement Approach against De-identified Dataset by Ci-Wei Lan, Yi-Hui Chen and Tyrone Grandison

This post was written as part of the IBM for Midsize Business (goo.gl/VQ40C) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

target="_blank"> src="http://c.statcounter.com/7554084/0/63857128/1/"
alt="tumblr visitor">

1. It may be illegal.  Depending upon the geographic locations for where the business is located, and the associated country, state and local laws, there may be laws against requiring this type of information from job applicants and current employees.  It may also be against some industry laws and/or standards. If there are not laws now, there could be very soon (e.g., there is proposed legislation in Illinois and Maryland that would forbid public agencies from asking for access to social networks).  Do you really want to face fines, sanctions and other penalties because of implementing a completely poorly thought-out?
2. It may violate the company’s own established policies.  Most businesses have their own employee privacy policies.  Some may indicate that they will not ask for such information about personal activities.  Or, the wording could put information such as social media passwords off limits.  Civil actions could ensue.
3. It *IS* violating the terms of service for social networking sites.  Don’t laugh.  Even though the social networks themselves seem to commonly violate their own terms of service (and they have many legal cases they are currently embroiled in as a result) you are likely asking your employees to violate a legally binding contract by asking for their password.  For example, the Facebook Registration and Account Security requirement #8 states, “You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”  Facebook even announced today they would consider taking legal action against companies for requiring passwords to be shared with them.
4. It can alienate employees.  As reported in dozens of the articles over the past week, many employees provide their passwords to their employers because they fear losing their jobs if they don’t.  This does not engender happy employees. It may even result in retaliatory actions.  Do business leaders really want their employees to work for them under this type of duress, possibly plotting how to peer into all the bosses’ personal activities?
5. It will almost surely result in bad PR.  Just look at the list below of the companies that have been outed as Facebook and Twitter password usurpers.  How could it damage your brand if you are known as the company that wants to snoop through their employees’ YouTube, LinkedIn and Facebook pages?  If your business depends upon consumer trust it could result in significant damage.
6. It is a clear invasion of privacy.  Would you ask for the keys to all your employees’ homes so you could enter at any time and see what they are doing within their home?  To see not only their activities, but also watch what they are doing online?  This is not much different. If you want to make sure employees have not done anything that could potentially damage the company, there are many other actions businesses can take that do not infringe so blatantly upon personal privacy.  This really is the most significant of all the reasons to not require passwords, simply from a business (and human) ethics perspective.

I could go on, but aren’t these enough to compel any smart and wise business leader to not think about, or discontinue if they are currently doing this despicable practice?

So, what should businesses with concerns about inappropriate online activity do?

Well, if you’re concerned about online activities of employees that could be impacting the business (and those are valid concerns) asking for everyone’s social network passwords is not the answer.  Neither is forcing them to login to their accounts in front of you, and then commandeering their account and inspecting very nook and cranny of their digital world.  (Such action reminds me of the bully in grade school twisting another child’s arm until he cries, “Uncle!”)  C’mon business leaders!  Give yourself a whack on the side of your head and think!

Instead, you need to have an internal social media policy, and provide training for your employees about the policies, why you have them (from a business perspective), and associated enforcement activities.  No, you should NOT have one of the policies be that “Everyone must give us their social network passwords.”  Geesh!  Whack up the side of your head!  Instead you need to have policies that cover the following, and worded to fit your particular organization:

• Workers should not post information, including any types of images or audio, about co-workers, customers, or business plans or other strategic or confidential business information on their social networking sites.
• Workers should not provide advice or consulting help representing the business through their personal social network accounts.
• The business may perform online social network searches, as it determines is appropriate, to determine if inappropriate business information has been posted and is publicly accessible.
• Depending on the business, it may also be appropriate to ask employees to sign non-disparagement types of contracts for online activities.

These types policies are necessary in organizations of all sizes, including small and midsize businesses in addition to large organizations.

It is appropriate and reasonable to have policies that address the appropriate use of business information and associated assets, and that relate to business activities.  It is not reasonable to ask employees to open their personal life for business management inspection.  This is the 21^st century, after all.

Recent news of compelled provisioning of passwords

If business leaders are still not convinced, just read through a few of the recent (past couple of days) news stories about organizations asking job applicants and employees for their Facebook, Twitter, and other types of social networking passwords (just do a search, you can find over 1500 more):

• Resume, Cover Letter And Your Facebook Password?
• Job seekers getting asked for Facebook passwords
• Job Seekers Asked For Facebook Passwords: Debate Roars
• Facebook: Your password or your job?
• The uncomfortable interview question: What’s your Facebook password? (Employers Demanding Facebook Passwords Aren’t Making Any Friends)
• Forking over a Facebook password to an employer?
• ACLU: Facebook password isn’t your boss’ business
• NJ Lawmaker Wants To Keep Employers From Demanding Jobseekers’ Facebook Passwords
• Employers Want Facebook Passwords

Companies reported as requesting social network passwords

Here are a few of the organizations getting bad press for their requests for social network passwords:

• Maryland Department of Public Safety and Correctional Services
• Bozeman, Montana
• McLean County, Illinois
• Spotsylvania County, Virginia Sheriff’s Department
• Sears

Most so far have been public and government organizations.  However, all types of businesses are considering it, which may someday come as a surprise to their employees.

Bottom line: Asking job applicants and personnel to provide their personal social network password is a very bad business decision.

Oh, and lest you forget, sharing passwords is a BAD SECURITY PRACTICE any way! (Thanks for that reminder, Mike Dunham)

This post was written as part of the IBM for Midsize Business (goo.gl/VQ40C) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

• “I’m using encryption; I have an email add-on that automatically encrypts all my messages.  So, don’t have to worry about security.”
• “Our site uses SSL so everything sensitive is encrypted.”
• “Our IT department created an encryption process to scramble all the data in our server.”
• “I don’t have to use encryption; I’m not in a regulated industry.”

Such misconceptions are why cyber-crooks have long targeted SMBs…they know that the data there is rarely encrypted or insufficiently encrypted.

Here are the common long-held myths related to these misconceptions, and what organizations need to know about these flawed beliefs.

1. Myth: Using SSL or HTTPS encrypts data everywhere.

You Must Know: It is good that organizations are using HTTPS and SSL!  However, in general HTTPS and SSL only encrypts data in the pathway between web servers and web browsers.  That data will not still be encrypted in storage areas, or in emails, or other locations.  There are different types of encryption for different types of data uses and storage areas.

2. Myth: Encryption is too expensive for SMBs.

You Must Know: Encryption is now a fraction of the cost that it used to be.  There are also some very good freeware encryption tools available.  There is no reason that SMBs, or any other types of organization, or individuals, should not be using encryption; cost is no longer a good excuse.  Encryption is simply too effective of a security tool not to use!

3. Myth: Encryption is too hard to use.

You Must Know:  Is creating encryption solutions difficult?  Well sure, but because of all the options available from a wide range of vendors you do not have to create your own encryption solution.  Is it hard to use those solutions?  Several years ago using encryption was comparatively difficult.  However, now most encryption solutions are good and easy to use.  Any type of SMB can use encryption of every kind that they need to use to mitigate risk and meet compliance requirements.

4. Myth: By using encryption we then don’t need to use firewalls, anti-virus, or other security tools.

You Must Know: Au contraire, mon frère! Encryption is indeed a great tool that can protect data.  However, there are many other threats to networks, systems, and applications that you also need to have other security implemented to protect against.  Firewalls and anti-malware systems and software, just to name a few, are also necessities in today’s high-risk digital environment.  This is commonly referenced as the need to have “security in depth” and “security in layers.”  You should implement all the layers of security necessary, which also should include physical security controls (e.g., locked doors) and administrative security controls (e.g., policies), to reduce your risks to acceptable levels.  You should identify all the necessary administrative, physical and technical (which includes encryption) controls within your business risk management plan.

5. Myth: Encryption must be deployed everywhere in an organization.

You Must Know: Appropriate types of encryption solutions should be deployed where ever necessary to mitigate risk to sensitive information.  And the types of encryption will vary based how the data is stored, transmitted and used.   Some areas of your organization, such as in the internal intranet where certain types of data is made available to all employees and protected by an external firewall, typically does not need to be encrypted.  Other areas should always encrypt sensitive data.  Here are some important areas where the appropriate types of encryption solutions should be used:

• • Websites: Typically using HTTPS and/or SSL
  • Emails: Often using vendor or freeware add-on solutions.  However, many email systems now come with encryption capabilities that you can use.
  • Mobile computers: Data in storage using one of many different vendor solutions.
  • Mobile storage devices: There are encryption solutions for disks, USBs, CDs, DVDs and tape.
  • Wireless transmissions: Using a wide variety of wireless encryption options.

I could write much more about each of these myths, but this should get you pointed in the right direction.  If there is enough interest I will write some follow-up posts about each of these.

So, the lessons are that 1) every organization and individual should use encryption to protect data, and 2) sensitive data should always be encrypted on mobile computers and storage devices and in transit through public networks.  If all organizations would start doing this you would see the numbers of breaches reduced dramatically.

Also, most organizations have some type of contractual or regulatory requirements for encryption, particularly for personal information.  A good topic for another day.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

First the full question:

“If a scan of a W-2 is submitted as part of a patient’s financial assistance application is it considered protected health information (PHI)?”

It depends upon considering several factors, including

1)      Is the information within a W-2 explicitly excluded from being PHI within HIPAA?

2)      Is the information within a W-2 explicitly included as being a type of PHI?

3)      Is the information within the W-2 itself used by the covered entity (CE) for treatment, payment, or healthcare operations (TPO) in a way that would put it under the definition of PHI?

The question was framed as meaning the entire W-2 form was being “submitted” for financial assistance to pay for healthcare, so with this in mind, we will consider it as one document containing several information items that are necessarily grouped together.

Let’s first consider background information.

Definitions

Protected Health Information (PHI)

For the purposes of our analysis, “protected health information” (PHI) is the same as “individually identifiable health information” (IIHI) with the following exceptions defined under HIPAA:

(2) Protected health information excludes individually identifiable health information in:

(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20U.S.C. 1232g;

(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and

(iii) Employment records held by a covered entity in its role as employer.

Individually Identifiable Health Information (IIHI)

What is “individually identifiable health information” (IIHI)? Under HIPAA it is defined as:

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

W-2 Form

What is on a W-2 form?

a. Employee’s social security number (a PHI item)

b. Employer identification number (EIN)

c. Employer’s name, address, and ZIP code

d. Control number

e. Employee’s first name and initial, Last name, Suff. (PHI items)

f. Employee’s address and ZIP code (PHI items)

1. Wages, tips, other compensation

2. Federal income tax withheld

3. Social security wages

4. Social security tax withheld

5. Medicare wages and tips

6. Medicare tax withheld

7. Social security tips

8. Allocated tips

9. {blank}

10. Dependent care benefits

11. Nonqualified plans

12a code, 12b code, 12c code, 12d code

13. Statutory employee, Retirement plan, Third-party sick pay

14. Other

15. State, Employer’s state ID number

16. State wages, tips, etc.

17. State income tax

18. Local wages, tips, etc.

19. Local income tax

20. Locality name



Now let’s consider the factors.

1) Is the information within a W-2 explicitly excluded from being PHI within HIPAA?

According to…

(2)(i) above; a W-2 is not an education record as considered in the context of the question.

(2)(iii) above; the question is for the use of W-2 for all types of patients, so they are not necessarily employees of the CE.

Which leaves (2)(ii) above; records under 20 U.S.C. 1232g(a)(4)(B)(iv) include:

“(iv) records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.”

A W-2 form does not fall under this description.

So, W-2 data has not been explicitly excluded.

2) Is the information within a W-2 explicitly included as being a type of PHI?

Under HIPAA these include:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(S) Genetic Information (In 2010 “genetic information” was added to this list. (See Regulations Under the Genetic Information Nondiscrimination Act of 2008; Final Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/ginafinalrule.pdf))

So, at least three of the W-2 data items/fields are part of this list.  However, “W-2 Form” itself, which contains many more types of data items, is not part of this list.  So, subsets of the W-2 form are considered to be PHI, but most of the items are not.

3) Is the information within the W-2 itself used by the covered entity (CE) for treatment, payment, or healthcare operations (TPO) in a way that would put it under the definition of PHI?

Here is where we get to the main crux of the question.

Under the definition of IIHI above, a W-2,

YES (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

POSSIBLY (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

YES (i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

For this question about the W-2, the answer then really depends upon A) if the W-2 ever reached the CE where the care was provided, or B) it never left a third party that may have done the financial aid application processing.   Here three primary possibilities:

1)      An outside entity, separate from the covered entity, obtained the W-2, did the financial assistance approval, and passed the approval on to the covered entity, without sending the W-2 along.  For example, perhaps a bank or credit union.  In this case since the W-2 never becomes part of the patient file used to approve of the financial assistance, it would most likely not be considered PHI by the Department of Health and Human Services (HHS) since it never was received by or otherwise directly used for payment.

2)      An outside entity, separate from the covered entity, obtained the W-2, did the financial assistance approval, and passed the approval on to the covered entity, in addition to sending the W-2 along.  For example, it is conceivable that this could occur from an accounting firm, or an independent accountant or consultant.  In this case since the W-2 was sent with the financial assistance documentation, it becomes part of the patient file used to process payments, so it would most likely be considered PHI by the Department of Health and Human Services (HHS).

3)      A department within the covered entity obtained the W-2, did the financial assistance approval, and processed the financial assistance activities and paperwork.  In this case since the W-2 was used by the covered entity for payment purposes, and if it became part of the patient file, it would most likely be considered PHI by the Department of Health and Human Services (HHS) since it was directly used as part of payment operations.

Why Does This Even Matter!?

Many people to whom this question was posed gave retort that boiled down to, “It doesn’t matter, W-2 data needs to be protected any way!”

Well, yes of course W-2 data needs to be safeguarded appropriately regardless of who possesses it.  But, it certainly *DOES* matter whether or not it would be considered to be PHI.  Why?  Because covered entities’ (and now business associates under HITECH) obligations for doing specific activities with PHI go far beyond just simply safeguarding the PHI.  Under the Privacy Rule additional activities must be performed for PHI such as:

• You must then track disclosures of PHI.  If the W-2 was considered to be PHI, then, depending upon the organization, this could add a substantial amount of logging and tracking to a CE’s procedures, requiring additional resources.
• Disclosure requirements, and associated required actions, would need to be expanded to apply to W-2 forms.  Depending upon the organization, this could also substantially expand the scope of activities necessary, and require additional resources.
• Business associate contracts would then need to be created for any contracted work that applies strictly to the W-2 forms.  Depending upon the organization and their outsourcing activities, this could substantially add to the activities and resources necessary to support those activities.
• W-2′s would then also be subject to the same amendment requirements as other types of PHI, which would also expand the associated procedures and related resources.
• Consent and authorization requirements would then be expanded to also apply to W-2s, which would also expand the associated procedures and related resources.
• And likely others.

For a small to medium sized business adding such additional procedures along with the associated time and personnel resources could result in a significant amount of cost to the business.  Simply determining, “Yeah, let’s call it PHI, it needs to be protected anyway” is a shortsighted decision that could end up costing a significant amount that midmarket sized businesses really cannot afford.

This is why such questions are important to ponder and do a bit of analysis around.

This post was written as part of the IBM for Midsize Business (http://goo.gl/GKeBR) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

This is a topic of growing concern.  More than I had realized until I received two separate questions in the past two weeks from two different sources (one from a group of students and another from a marketing professional at a large corporation) about the legal requirements related to using information from social media sites for marketing.  I wrote about the topic of using information from social media sites in 2010 in my blog post, “3 Privacy Mistakes For Social Media And Marketing”.  Those thoughts still apply.  Now let’s consider some of the legal issues related to activities that harvest information from social media sites to use for marketing purposes.  Here are just a few of the legal issues that marketers, and the organizations that they work for, need to know about:

·         Section 5 of the Federal Trade Commission Act (FTC Act).  Your posted privacy policy is a legally binding document.  Have your marketers read it?  Do they understand it?  Are they following it?  If they are using information in ways that violate your posted privacy policy, then they are putting your entire organization at risk of civil action, sanctions under the FTC Act, or any of a wide number of other legal problems.  Not to mention bad publicity.

·         CAN-SPAM Act.  Many marketers are gleaning email addresses from social marketing sites.  I’ve even heard marketers brag about the large number of email addresses they’ve pulled from Facebook alone.  Using such information to send unsolicited marketing messages could be violating the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).  Organizations and individuals have received multi-million dollar fines for CAN-SPAM Act violations.

·         COPPA.  Many marketers are interacting with everyone they can get the attention of on social networking sites, and then snagging things such as their names, home addresses, email addresses , and phone numbers if they happen to find them on their sites.  They could be violating the Children’s Online Privacy Protection Act (COPPA) of 1998 which established the requirements by which organizations can obtain and use such personal information from children under 13 years old.  The FTC has applied numerous multi-million fines for such activities.  Are your marketers aware of this regulation, or are they exposing your business to some hefty penalties by grabbing and using personal information of minors?

·         Video Privacy Protection Act (VPPA).  Even though this is a comparatively older regulation enacted in 1988 largely as a result of the release of Supreme Court Judge Robert Bork’s video rental records during his controversial Supreme Court nomination process, it is still applicable today to the ways in which videos, and similar media, are streamed over the Internet.  Marketing folks love to know the viewing habits of the public, and many have viewed social networks as goldmines of potential information related to consumer viewer habits, and potential follow-up to those who fit their target customer profile.  If your marketers are using social media information of individuals for these types of activities without the consent of the applicable individuals, they and/or your organization could be hit with significant sanctions under the VPPA.

Consider all the other international, federal, state and local laws and industry regulations that could be added to this list, and the need to consider such legal issues when doing marketing using “found” social network information; the potential for legal nightmares should become clear and compelling.

As a final thought consider this: if you found a billfold full of credit cards and a social security card on the street, would you be able to just pick it up and start using the cards for your own personal gain, or more directly comparable, for any number of your business purposes?  Crooks and those without a moral or ethical compass probably would, but others should know that such found information was not free for the taking and using.  The same concept should be used for information “found” online as well.

The students who wrote to me asked whether or not marketing invades privacy.   The answer is, of course it can!  That is why you need to be aware of what personal information is, and know that privacy goes beyond just knowing the specific legal restrictions for using personal information (although you certainly need to know this as well).

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.



2011

Looking back to 2011 some of the events that struck me most when reading through these many different sources included the following:

• There are more reported privacy breaches than ever before in all types of publications.  And the methods of the breaches are increasing as new technologies and business practices are emerging.  And as business is accomplished through more partnerships with multiple organizations, more breaches are caused by business partners (outsourced and contracted entities) than ever before as well.
• Increasingly more mobile computing devices were created and purchased by workers in 2011 than ever before.  Tablet sales alone accounted for over 25% of all mobile computing device sales.  The use of mobile computers, of all types, is occurring much more quickly within all organizations than the organizations keeping up with finding security controls for them, and in updating their policies and procedures.   Add to the mix the overwhelmingly popular move (supported by business managers, not so much by the information security practitioners) to a “bring your own device” (BYOD) attitude in the workplace, it increases the complexity of information security risk by a hundredfold (and that’s a modest estimate).
• At the same time the use of mobile computing devices are increasing, the use of cloud services (yet another type of contracted entity) is also quickly growing.  According to some reports and informal polls, tech savvy folks in the general public own 10 to 20 devices they use regularly to connect to business data via the cloud.  The number of cloud services used by businesses probably is around 10 to 20 for each organization as well, although I haven’t seen any dependable numbers; this is just my own estimate based upon discussions with business leaders throughout the year.
• As increased cloud services are used, the amount of data is exploding.  Super data warehouses are going up in a frantic effort to keep pace.  Businesses are starting to put everything into the cloud, including all their backups.   Considering data is the most valuable asset a business has, and that it also brings the most risk, the dependence upon these data warehouses accessed through the cloud has become greater than ever.   Organizations are putting all their data eggs into a few large cloudy baskets (ooh, sorry, I couldn’t resist the geek tweak to the popular idiom), and are pretty much at the mercy of them to keep their businesses going.
• A significant event occurred when the DoD publically indicated in October that physical attacks could be launched in response to cyber-attacks against military systems.  I was surprised there wasn’t more written about this.  Think about it; bombs can be deployed and physically destroy facilities, and the people within them, as a response to adverse and/or hostile cyber-activities.  This really is a significant landmark in the merging of the physical with the cyber worlds.
• The smart grid got more attention than ever in 2011, especially towards the end of the year.  It’s good, because it will be a huge, complex network, more complex in many ways than any other, and we need to proactively think about the security and privacy issues and build in controls now, as deployment occurs.  I’ve been leading the NIST CSWG Smart Grid Privacy subgroup since June 2009, and we’ve been working hard since that time on addressing the privacy issues.  There are10 other NIST CSWG subgroups that are focusing on the vast number of information security issues, and most have also been since early 2009.  I was happy to see other research and academic groups take in interest as well in 2011.   In December the MIT Energy Initiative released a report, “The Future of the Electric Grid” but I was disappointed to see no mention of the work done by the  NIST CSWG groups for the past three years (perhaps I missed something in those 183 pages?), and nothing new was reported that the NIST groups had not already published.
• A significant common problem that is at the heart of almost every (if not all) data breaches, and within information security and privacy programs in general, is a lack of information security training, non-existent privacy training, and sparse-to-no types of ongoing awareness communications to keep security and privacy at the forefront of employee’s minds as they are doing their day-to-day work responsibilities.  I’ve reviewed literally hundreds of information security and privacy training and awareness programs and a large portion of them are ineffective, or downright awful.  Business leaders need to understand that they must provide such education to their personnel if they are going to be successful in effectively safeguarding data.  2011 provided many more examples for me to use to point out that human frailties involving lack of knowledge, lack of training, and continuous repeated mistakes are bigger problems than ever before.

2012

Looking ahead to 2012, it is going to be a very busy and diverse year.  I see these issues from 2011 continuing to increase in importance and publicity throughout the year, in addition to a few more new topics of information security and privacy concern.   Here is what I see as just some of the significant events, as well as issues that need to be addressed: 

1. More emphasis needs to be given to information security and privacy awareness and training, with more active and effective training and ongoing awareness communications.  I’m hopeful this will happen (even though there’s a nagging doubter in my mind that insists on telling me I’m wrong).
2. There will be at least one breach, larger than ever before, occur within a business partner / business associate type of organization.  I have a feeling it will be within a cloud service.
3. More attention needs to be given to business partners, and more oversight and monitoring.  Organizations must go beyond just including an information security clause in their contracts.  Information security and privacy are people issues; breaches cannot be prevented with a contract that the practitioners, who are actually handling the data and information, never see.
4. More breaches will occur as a result of personal devices in 2012 than ever before. 
5. Organizations need to get off the stick, do risk assessment to determine the extent of personal computing device use within their organizations and then update their policies, create new procedures, and implement new technologies accordingly.
6. Many organizations will completely lose track of where their data is as a result of using cloud services.  How can you protect your data, and keep bad things from happening, if you don’t even know where that data is located, or who is touching it?  You can’t.  At least one organization will have a breach with the cloud, with this lack of knowledge at the heart of the problem, which will almost put them out of business.
7. Business leaders need to understand cloud services and use them appropriately.  Information security and privacy practitioners need to take the initiative and TELL THEM of the ramifications and risks of using cloud services, and then establish the appropriate controls around cloud service use.
8. The DoD will use their newly authorized go-ahead to physically attack an enemy for cyber-hacking.  I anticipate it will be a small target, hopefully unmanned, but that it will be done to send a message that even though there are fewer boots on the ground, the “leaner and meaner” military is not adverse to taking other such actions to thwart cyber-attacks against military and government networks.
9. Smart grid research and concerns will continue.  And, more utilities will be proactively doing much more to address consumer concerns with smart meters than ever before, through public service announcement type messages and other types of education and outreach.
10. More emphasis needs to be given to information security and privacy awareness and training, with more active training and ongoing awareness communications.  Yeah, I already said this.  However, it’s so important, and necessary to ALL information security and privacy issues, that it needs to be repeated again.  And whenever I have other opportunities to do so, I will continue to say it.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

My January privacy tips message has been published and provides some ideas for you to consider to help better protect your personal information as we enter a new year.

I provide these tips free each month to help raise awareness of current information security and privacy risks and also to give business leaders a free awareness message to distribute to their personnel as part of their information security and privacy training and awareness program. Such monthly messages help to keep folks aware of the importance of security and privacy and stay on their guard throughout the work day. They also help to support compliance requirements for employee information security and privacy education.